Something Awesome : Securely installing custom router firmware (OpenWRT)
========

## General overview:

In web security, it is important to make sure an entire network is safe from intrusion. One important part is securing routers and other networking infrastructure, which can have known firmware issues and are often neglected by users (a recent lecture showed only a couple of people had ever updated their routers). Often routers come with stock firmware which is no longer updated after a few years, has publicly known unfixed vulnerabilities or even is intentionally backdoored.

For my project, I will try to properly install OpenWRT (or another custom firmware option) as it is popular, still in active development and I have heard very good reviews about it in technology forums.

## Goals:

Half of this project is researching how to properly install OpenWRT. The other half is setup and post-setup.

1. check if router is compatable with OpenWRT. if not, pick another firmware (Tomato, DD-WRT?), if not, pick another project :P
2. learn how to flash firmware to a router without bricking it
3. look at specific setup instructions for OpenWRT
4. try to harden the setup (eg. filtering, turning off any risky defaults like uPnP)
5. do a basic external pentest of the network (as suggested in lectures by Norman) to know which devices can be directly attacked externally (if any). eg. try to nmap my IP

## Diary

### 27 March

Set goals, began research on OpenWRT.

### 29 March

Checked my current router, appears to be an TP-Link Archer C7. Found [the OpenWRT page](https://openwrt.org/toh/tp-link/archer-c7-1750), looks like it's supported, will need to check which version though (router version v1 does not support current OpenWRT release, but v2-v5 do).

Found https://routersecurity.org , appears to be a useful source of general information and details on hardening. The site suggests DD-WRT and OpenWRT. OpenWRT appears to be more hackable while DD-WRT appears to be more basic but user-friendly.

### 1 April

Checked router, it is version v5. This means it supports the latest OpenWRT release. The page says some devices cannot be directly flashed, but [this reddit thread](https://www.reddit.com/r/openwrt/comments/44z61u) and some other forum posts say it was quite easy to install. Yay!

Current release is 18.06.2

### 2nd April

Found the [starter FAQ](https://openwrt.org/docs/guide-quick-start) and other guides. Both the OpenWRT pages and other sources confirm OpenWRT has very secure and sane defaults, unlike many other routers that use things like uPnP and WiFi with default passwords for convenience at the cost of them being easier to hack.

The OpenWRT page says the target is ar71xx-ath79 and to download the factory version since this is not an upgrade from 18.06.1. Learned a bit about TFTP (*Trivial* File Transfer Protocol) which might be needed if I somehow brick the router.

Downloaded image from [here](https://downloads.openwrt.org/releases/18.06.2/targets/ar71xx/generic/openwrt-18.06.2-ar71xx-generic-archer-c7-v5-squashfs-factory.bin).

Loaded image to USB and inserted to Archer C7 v5 router. The stock OEM firmware had a firmware upgrade option which was used to install the OpenWRT image. After a few scary minutes of nothing, the router booted with OpenWRT successfully installed.

Logged on with 192.168.1.1 and changed the default root password as suggested (it's really long now!).

### 3rd April

Setup WiFi with WPA2 PSK and a decently long password. Checked client isolation was on (this may theoretically be useful in mitigating pivot attacks). Changed the channel to 1 as it had less traffic.

Didn't setup SSH access. SSH should be safe enough though to enable since it's internal only.

### 7th April

Found packages section. Since OpenWRT is Linux-based, some of the packages were recognisable (iptables, hostapd, busybox). Installed network-wide adblock package ('adblock') with many of the in-built blocklists, such as ones aimed at malware and cryptominers. Reddit users say it updates itself which is nice.

This has the benefit of keeping family members and guests slightly safer from malicious sites while leeching of the WiFi!

### 8th April

Found a package that makes the router configuration page 192.168.1.1 run on HTTPS rather than HTTP. If a nearby attacker was present, this would make it safer to configure the router over WiFi without the password being stolen.

### 17 April

Couldn't find many more general hardening options for a home situation, since OpenWRT has a secure-by-default attitute (which is good to have). Quickly went through the [security checklist](https://routersecurity.org/checklist.php) page on RouterSecurity.org and most of these are already done without me touching them.

On the todo list:

 * check HTTP is disabled on the config page
 * restrict administration access by MAC address, or to Ethernet only (Ethernet only seems like a less tedious idea)
 * Disable less secure TKIP cipher on WiFi (CCMP ie. AES should be used exclusively)
 * Check the inbound firewall rules, even though most sources say they have great defaults
 * Is it possible to self-update the firmware?

### 19 April

Ensured HTTP was disabled by default once the HTTPS config page was installed. Disabled the weaker TKIP cipher.

Didn't want to mess with the firewall rules until I knew more about what traffic may be incoming (and how to block it properly). Better not to mess with them unless I know more about what I'm doing.

### 26 April

Used [yougetsignal.com](https://yougetsignal.com/tools/open-ports) to check if any common ports were exposed on my public IP address. The site has an option to check the 20 most common ports (FTP, SSH, TELNET, DNS, HTTP/S, etc.). None of them are open, which is great.

I plan to use `nmap` tomorrow to perform a more through scanning, as well as checking internally which devices will return pings (I believe a while ago I found an IoT device was returning pings when it had no need to).
